So I've been given a little bit of money to buy a software tool to help me with AD. I'd like this tool to:

1. Allow me to scan for, disable and move inactive accounts or to delete them based in a date I enter.

2. Allow me to scan for, disable and move or delete computer accounts that have not been used for a certain amount of time, once again based on a date I enter.

3. Allow to easily bulk create AD accounts from a CSV (300+ at a time). This would include putting them into a group, setting their home folder locations, creating their (empty) home folders, setting their passwords and setting various AD fields for them (including things like "User cannot change password" etc).

4. Allow me search AD for various criteria, then export the results into a CSV with columns I select.

5. Not have an ongoing fee (so no subscription service, or paid support) and not cost millions of dollars, a few hundred tops.

6. Have some sort of trial period that I can test it out before buying it.

Yes, I know you can do all of this in powershell, and yes I know there are some free tools out there. But I have tried the free ones and have found none that work, and I simply do not have the time to develop and test powershell scripts for me to use once a year when I do all of this. I am looking for easy point and click and go.

Thanks in advance for your suggestions.

EDIT: I do not want a powershell solution. I know very well it can be done in powershell, and I know that this would be free and would be a skill to have, but for my needs at this point in time a powershell solution would not work for me.

18 Replies

This person is a verified professional.

# This PowerShell Command will query Active Directory and return the computer accounts which have not logged for the past
# 60 days. You can easily change the number of days from 60 to any number of your choosing. lastLogonDate is a Human
# Readable conversion of the lastLogonTimeStamp (as far as I am able to discern. More details about the timestamp can
# be found at technet - http://bit.ly/YpGWXJ --MWT, 03/12/13
$then = (Get-Date).AddDays(-60) # The 60 is the number of days from today since the last logon.
Get-ADComputer -Property Name,lastLogonDate -searchbase "OU=Computers,DC=domain,DC=com" -Filter {lastLogonDate -lt $then} | ft
Read-host "Press Enter to Exit"
# If you would like to Disable these computer accounts, uncomment the following line:
#Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Set-ADComputer -Enabled $false
# If you would like to Remove these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Remove-ADComputer
# If you would like to Move these computer accounts, uncomment the following line:
#Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Move-ADObject -TargetPath "OU=Tombstone,DC=domain,DC=com"

Here a computer script. Pretty easy to useFor user script just replace the adcomputer with aduser.

This person is a verified professional.

Invest that money into a Pluralsight subscription and the 'powershell in a month of lunches book and start learning powershell. powershell can do all that and more and it's a skill that is and will be in demand and thus really nice to have.

This person is a verified professional.

Invest that money into a Pluralsight subscription and the 'powershell in a month of lunches book and start learning powershell. powershell can do all that and more and it's a skill that is and will be in demand and thus really nice to have.

Yes, I get that. I just don't have the time. Plus this tool will need to be used by our Data admin as well. And she has even less time and desire to use powershell than I do, so we are willing to pay the money for a professionally made GUI tool.

This person is a verified professional.

Invest that money into a Pluralsight subscription and the 'powershell in a month of lunches book and start learning powershell. powershell can do all that and more and it's a skill that is and will be in demand and thus really nice to have.

Yes, I get that. I just don't have the time. Plus this tool will need to be used by our Data admin as well. And she has even less time and desire to use powershell than I do, so we are willing to pay the money for a professionally made GUI tool.

This person is a verified professional.

While there are a lot of tools out there, some even free, that can do the query/reporting side, when you get into updating the directory, you will find that the tools get to be mostly non-free as there is complexity in making / supporting a product that actually does something.

Here are a few tools that can probably do most of these things. Most should have evals too:

Javelina Software - They have several tools, not sure if one can do it all. Been around a long time.

SystemTools Software (Hyena) - Also has been around a long time and can do all of this.

Softerra Adaxes - Might be pricey, but I think anyone that uses it is happy with it. Very powerful.

WiseSoft Bulk AD Users - Many swear by it, just don't think it can do the home directory creation automation (not sure). They do not appear to be on SpiceWorks. Did I mention its free ?

I'll link to the vendor pages and you can go from there.

Powershell can do everything, and many think is it the bomb. You will have to still learn any product, and any product that can do all of the things you listing will take a learning curve. With Powershell you will have one-off specialized small apps that just perform a single task, while a GUI tool/product will let you do a lot more from a GUI and maybe save the time to get you time to learn Powershell.

2. Allow me to scan for, disable and move or delete computer accounts that have not been used for a certain amount of time, once again based on a date I enter.

Answer

Text

$then = (Get-Date).AddDays(-90) # The 90 is the number of days from today since the last logon.
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | FT Name,lastLogonDate
# If you would like to Disable these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Set-ADComputer -Enabled $false
# If you would like to Remove these computer accounts, uncomment the following line:
# Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $then} | Remove-ADComputer

3. Allow to easily bulk create AD accounts from a CSV (300+ at a time). This would include putting them into a group, setting their home folder locations, creating their (empty) home folders, setting their passwords and setting various AD fields for them (including things like "User cannot change password" etc).

Neally, thanks for recommending Netwrix Auditor for Active Directory application(20 days free trial) but it is not a management solution, regarding the needs of the OP Netwrix Auditor has Inactive User Tracker feature(there is a separate free tool as well) which can automatically disable, move to another OU, reset password, delete user accounts after certain amount of inactive time(you decide).

This person is a verified professional.

Your number 5 requirement is going to hold you back. While you don't want to take the powershell path, it is the best bulk edit/management tool for AD that I have found. I am no powershell guru but have been able to do many things with powershell, thanks to an awesome amount of info on the web, including creating/decommissioning users in bulk with Exchange accounts from a CSV. There are also certain bulk commands you can do in the ADUC console, highlight a list of computers or users and go to properties and it will show checkboxes for which bulk operations are supported under each tab.

This person is a verified professional.

Number 5 (cost) should not hold you back as long as you can afford $300 (less in volume) per seat. Now support is another matter, my philosophy is that if you have to pay for support for an inexpensive product...well that is just wierd.

And I can't agree more with hutchingsp, its sometimes amazing how much time some admins are willing to spend trying to automate a task or reinvent the wheel, where it can be done in a few seconds/clicks with a flexible tool.